[solved] fail2ban WARNING invalid command /w ISP Config disabled websites Hello, We have a Debian Squeezy (fully upgraded) webserver running ISP Config 3.0.3 (not upgradable because hacked :/) with fail2ban 0.8.6 and recently we added a apache-dos filter in fail2ban in order to mitigate DOS attacks : in /etc/fail2ban/filter.d/apache-dos.conf : Code: # Fail2Ban configuration file # # Author: http://www.go2linux.org # [Definition] # Option: failregex # Note: This regex will match any GET entry in your logs, so basically all valid and not valid entries are a match. # You should set up in the jail.conf file, the maxretry and findtime carefully in order to avoid false positives. failregex = ^<HOST>.*\"(GET|POST).* # Option: ignoreregex # Notes.: regex to ignore. If this regex matches, the line is ignored. # Values: TEXT # ignoreregex = ^<HOST>.*\"(GET|POST).*Googlebot in /etc/fail2ban/jail.local : Code: [apache-dos] enabled = true port = http,https filter = apache-dos logpath = /var/log/ispconfig/httpd/*/access.log maxretry = 300 findtime = 60 when we restart fail2ban we have the following error in /var/log/fail2ban.conf : Code: 2013-11-19 17:23:34,126 fail2ban.filter : INFO Added logfile = /var/log/ispconfig/httpd/foo.com/access.log 2013-11-19 17:23:34,128 fail2ban.comm : WARNING Invalid command: ['set', 'apache-dos', 'addlogpath', '/var/log/ispconfig/httpd/bar.com/access.log'] where foo.com is an active website and bar.com is a disabled website in ISP Config. Indeed the bar.com acces.log file doesn't exist anymore because of log rotation. There are other log files to load, but they don't appear in the list, like if fail2ban had stop loading them when this warning occurs, if so then it should be labelled as an error instead of a warning... Is there a way to fix that in fail2ban and/or ISP Config or do I have to delete its log dir manually each time I deactivate a website ? Thank you for your help.
Simple solution I found that the problem is about broken symbolic links created during the log rotation : Code: access.log -> YYYYMMDD-access.log where YYYYMMDD is the day AFTER the website was desactivated, and so the YYYYMMDD-access.log does not exist. For now the simpler fix I found is to create manually the missing files so the symlinks are fixed and fail2ban can continue loading logfiles. That fixed my problem unless someone have a better/cleaner solution
Off topic, but: An old version like this contains security issues for sure. The neccessary work to upgrade to the latest version should be less than restoring the system because of being hacked, don't you think?
Sure ! We'd like to upgrade and we'll do it ASAP... but unfortunately we don't have time for that right now We use the ISP Config back-end internally inside our company on a closed network port. If there are opened vulnerabilities, they should be in configuration files and/or permissions that ISP Config writes (mainly for Apache2). If that would be the case (which I doubt) we could still modify config templates without having to upgrade ISPC. We plan to move our servers in a few months to a new architecture so we surely upgrade on that occasion. EDIT : More important : I will do my best NOT to hack ISPC next time so that we can upgrade it anytime
